How to integrate Cisco IronPort (Email gateway) with Cisco ACS5.2 AAA

arul.nandhakumar · ‎09-03-2013

Hi,

We are having two Email gateways C370 ver.7.6 and one Management appliance M670 ver.7.9, we want to integrate those Email Gateway with Cisco ACS ver 5.2.

Please help me out to configure the Radius authentication in Email Gateway and Cisco ACS.

Thanks,

Nandha

Robert Sherwin · ‎09-03-2013

Nandha -

Please see the Daily Mangement Guide, 8-25:

http://www.cisco.com/en/US/docs/security/esa/esa7.6/ESA_7.6_Daily_Management_Guide.pdf

You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco IronPort roles. The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in the RADIUS directory to Cisco IronPort user roles. AsyncOS supports two authentication protocols for communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).

To assign RADIUS users to Cisco IronPort user roles, first set the CLASS attribute on the RADIUS server with a string value of , which will be mapped to Cisco IronPort user roles. The CLASS attribute may contain letters, numbers, and a dash, but cannot start with a dash. AsyncOS does not support multiple values in the CLASS attribute. RADIUS users belonging to a group without a CLASS attribute or an unmapped CLASS attribute cannot log into the appliance.

If the appliance cannot communicate with the RADIUS server, the user can log in with a local user account on the appliance.

NoteIf an external user changes the user role for their RADIUS group, the user should log out of the appliance and then log back in. The user will have the permissions of their new role.

To enable external authentication using RADIUS:

Step 1On the System Administration > Users page, click Enable. The Edit External Authentication page is displayed.

Step 2Select the Enable External Authentication check box.

Step 3Select RADIUS for the authentication type.

Figure 8-18Enabling External Authentication Using RADIUS

Step 4Enter the host name for the RADIUS server.

Step 5Enter the port number for the RADIUS server. The default port number is 1812.

Step 6Enter the Shared Secret password for the RADIUS server.

NoteWhen enabling external authentication for a cluster of Cisco IronPort appliances, enter the same Shared Secret password on all appliances in the cluster.

Step 7Enter the number of seconds that the appliance waits for a response from the server before timing out.

Step 8Select whether to use PAP or CHAP for RADIUS authentication.

Step 9Optionally, click Add Row to add another RADIUS server. Repeat steps 6 and 7 for each RADIUS server that your appliance uses for authentication.

Step 10Enter the amount of time to store external authentication credentials in the web user interface.

Step 11Select whether to map a group of RADIUS users to a Cisco IronPort role, or grant all RADIUS users the Administrator role. It is recommended that you map RADIUS groups to Cisco IronPort roles.

Step 12If you chose to map a RADIUS group to a Cisco IronPort role, enter the RADIUS CLASS attribute for the group and select the role for users with that CLASS attribute.

Step 13Optionally, click Add Row to add another group. Repeat steps 11 and 12 for each group of users that the appliance authenticates.

Step 14Submit and commit your changes.

Regards,

Robert

Content Security Technical Services - RTP, NC

Cheers,
Robert Sherwin

arul.nandhakumar · ‎09-03-2013

Thanks a lot Robert,

Is there any special configuration required in Cisco ACS?

Robert Sherwin · ‎09-04-2013

I do not have the answer to that. Since I only deal with the ESA/SMA appliances for content security. You can check and ask in the ACS forums - they may be able to assist and answer!

I believe they are in:

https://supportforums.cisco.com/community/netpro/security/intrusion-prevention

-Robert

Cheers,
Robert Sherwin